In general, virtualization is a technique for hosting different guest operating systems concurrently on the same computing platform. With the emergence of hardware support for full virtualization in an increased number of hardware processor architectures, new virtualization software architectures have emerged. One such virtualization architecture involves adding a software abstraction layer, sometimes referred to as a virtualization layer, between the physical hardware and a virtual machine (referred to as “VM”).
A VM is a software abstraction that operates like a physical (real) computing device having a particular operating system. A VM typically features pass-through physical and/or emulated virtual system hardware, and guest system software. The virtual system hardware is implemented by software components in the host (e.g., virtual central processing unit “vCPU” or virtual disk) that are configured to operate in a similar manner as corresponding physical components (e.g., physical CPU or hard disk). The guest system software, when executed, controls execution and allocation of virtual resources so that the VM operates in manner consistent to operations of the physical computing device. As a result, the virtualization software architecture allows for a computing device, which may be running one type of “host” operating system (OS), to support a VM that operates like another computing device that is running another OS type.
In some malware detection systems, malware detection components and malware classification components are deployed as part of the same binary (executable). This poses significant issues. Firstly, this deployment offers no safeguards for detecting whether any portion of the malware detection component or malware classification component has become infected with malware. Secondly, when placed in the same binary, the malware detection component is not logically isolated from a malware classification component. As a result, remediation of injected malicious code that has migrated into the malware detection component would also require analysis of the integrity of the malware classification component. This increases the overall amount of time (and cost) for remediation.
Lastly, an attacker may often exploit a user process and then proceed to attack the guest OS kernel. Advanced attackers may attack the guest OS kernel directly. In some cases, threat protection in the guest user mode (e.g., guest process) or the guest kernel mode (e.g., inside the guest OS kernel) is not secure because the attacker may operate at the same privilege level as threat protection logic. Another threat protection component is needed to enhance security of a computing device.